"Michael" <[EMAIL PROTECTED]>:
>> apache_ssl w/openssl 9.2b
>> Everything was going fine. All of a sudden when I attempt
>> ssl connection with NS 4.05, NS4.08 I get the message
>> "The certificate is not approved for the attempted operation"
>> NS is using PKCS#11 v2.0 lib version 4.0
>> No problems with NS 3.0x, MSIE 4.01, they work fine.
> 3rd follow up
> [...] I have tried everything I can think
> of. I've completely shut down the web server host and restarted it,
> same with the client test machines as well as deleted the cache and
> cookies on the client machines.
Probably you are using a CA certificate for your server; if you use
"openssl req" to generate a new key and self-signed certificate with
the default openssl.cnf, the certificate you get includes certain
X.509v3 extensions that make it unfit for use as a server certificate.
This was not so with earlier versions of the software because back
then there was far less X.509v3 support.
To look at the certificate some HTTPS server presents to its cliens,
use "openssl s_client -port 443 -host your.server", store the output
(at least the part from "-----BEGIN CERTIFICATE-----" up to "-----END
CERTIFICATE-----", including these separators) in a file and use
"openssl x509 -in the_file_you_just_stored -text" to look at it in
readable form. If it has in the "X509v3 extensions section" any of
the following entries, it is not usable as a server certificate:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
To quickly create a new server key and certificate that works with
Netscape, you can just copy the original openssl.cnf file and comment
out the "x509_extensions" entry in the "[ req ]" section.
The, use "openssl req ..." as before to create a new certificate and
key.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
